THABACHWEU LOCAL MUNICIPALITY 


INFORMATION & COMMUNICATION 

TECHNOLOGY 


GOVERNANCE FRAMEWORK 



The Thaba Chweu Local Municipality policies are statements of principles and practices dealing 
with the on-going management and administration of the Municipality’s IT assets. These 
Governance Framework act as a guiding frame of reference for how the Municipality deals with 
everything from its day- to-day IT operational and support procedures to comply with security 
regulations and codes of practice. This “statement of purpose” will guide the actions to be taken to 
achieve that purpose. 
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INTRODUCTION 

ICT is one of the key assets of a Municipality. ICT - the people, processes, infrastructure and 
information - is embedded across the Municipality creating an enterprise wide community of 
owners and stakeholders. As a major investment ICT is expected to deliver value and has been 
found to deliver greater ‘value’ for the Municipality when used a strategic enabler rather than being 
influence by a stream of diverse tactical initiatives. 

“A governance structure with buy-in and setting of responsibilities is essential. Developing 

and implementing strategy are not necessarily complimentary. Don’t lose sight that strategy means 

strategy, vision and setting out the direction.Responsibility for implementation should be passed 

on for others to do.” 

International research revealed that top performing organizations manage their ICT with 
governance structures that harmonise enterprise objectives and structures with performance goals 
and metrics. But, although ICT governance is now recognized as the most influential factor in 
realizing ‘value’ from ICT there is no single model that fits all and each institution will need to 
develop its own ICT Governance to meet its unique requirements. 

“Now consider these key questions: 

• What is the Municipality’s ICT governance structure? 

• What are your institution’s drivers in formulating ICT strategy? 

• How does the institution manage changes in strategy and exceptions from strategy? 

• How does the Municipality align institutional strategy a budgets with ICT strategy and 
budgets? 

• How does the Municipality assign responsibility and accountability for ICT implementations? 

2. WHAT IS ICT GOVERNACE 

ICT Governance is defines as ‘specifying the decision rights and accountability framework to 
encourage desirable behavior in the use of IT. The complexity and difficulty of explaining IT 
governance is one of the most serious barriers to improvement.’ 

ICT governance is about who makes decisions while management is about taking and implementing 
the decisions. Effective ICT governance for the Municipality will answer three questions: 

• What decisions must be made 

• Who should make these decisions 

• How are they made and monitored 

3. HOW CAN ICT GOVERNANCE HELP? 

Good ICT governance is the foundation for delivering strategic ICT as it: 
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3.1 Aligns ICT with institutional strategy: 

It provides clear and visible decision making at the appropriate level of senior management, and 
with ICT embedded across the institution, encourages more responsible and accountable business 
management, creating focus, understanding and improved delivery against goals. Alignment can 
deliver cost reductions, improved quality of service delivery, strategies for growth and strategies for 
diversification. 


3.2 Integrates structural requirements: 

Institutional structure and ICT services are harmonized to allow improved delivery of institutional 
goals. A less fragmented and more integrated approach to the use of ICT will deliver improved 
quality of information from the rationalization and sharing of services. 

3.3 Integrates business and technology for ICT value: 

Involves professionals, research, administration and ICT, resulting in improved decision making 
and buy-in for ICT changes. 

3.4 Provides a mechanism for understanding the use and opportunities for ICT: 

Improved visibility and accountability for ICT allows institutions to learn from their current ICT 
experience and encourage improvements for the future. Mechanisms for allowing exceptions to 
strategy ensure a clear argument; value and justification are visible and understood. 

3.5 Improves budgetary control and return on investment: 

Improved harmonization between institutional goals and ICT accountability and performance 
measures improves budgetary control and value. Measures of success are defined as service levels 
and as evaluation criteria for projects. 

3.6 Improves selection and use of new technologies: 

It supports ICT in balancing technological advancement against business priorities and return on 
investment (ROI). 

4. HOW IS ICT GOVERNANCE USED IN THE MUNICIPALITY? 

The variation in institutional structures, the different cultures influencing management styles and 
the ubiquitous nature of ICT within every department leads to wide ranging differences in ICT 
governance. However, research findings can be used to highlight the practices that have been found 
to improve the delivery of strategic ICT. This is presented in these findings across 4 areas as 
follows: 
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5. INSTITUTIONAL SYNERGY 

The growing importance of ICT in supporting institutional strategy and the need to provide agility 
requires that an institution is able to have a clear institution-wide view of both current and future 
requirements for ICT. Institutions have achieved this by: 

• The formulation of a documented and approved Master System Plan (MSP). 

• The cross reference of MSP to reinforce alignment to the institutional strategy 

• Using a process for review and updating of the strategy 

6. GOVERNANCE DECISION AND MECHANISMS 

In order to ensure that the correct decision are made regarding the deployment of services and 
systems, the following control mechanism and guidelines shall be put in place: The ICT steering 
committee must be established and the post of Chief Information Technology Officer must be 
approved and filled at all times: 

The MSP must be approved by the ICT Steering Committee and its implementation must be 
governed by the ICT Steering Committee. 

The Information Technology Policy must be approved with accordance with the Municipal Policy 
approval processes and an ICT Security Officer must be appointed to ensure its implementation 
under the guidance of the Chie Information Technology Officer. 
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An ICT decision making matrix must be established and used as a guideline for decision making at 
all level of the Municipality. 

All ICT investment must be deliberated and approved by the ICT steering committee and must be in 
the MSP. 

ICT principles, policies and standards must be defined and adhered to. These assist in better 
decision making and management. It is expected that these will facilitate better investment 
proposal, progress reporting and measurements for value and ROI and therefore support improve 
accuracy and availability of information to assist decision making and management. 

7. ICT GOVERNANCE GUIDELINES 

7.1 Management of Information Security 

The Municipality should ensure that their policy is finalized and approved by the appropriate level 
of management as a matter of urgency. The policy should then be implemented and communicated 
formally through a security awareness program. Compliance with the policy should be constantly 
monitored. 

People constitute the greatest risk to any organization through accidents, mistakes, and lack of 
knowledge or occasionally through malicious intent. The municipality to make security awareness 
training compulsory for all to ensure members do not plead ignorance in case of breaches. 

The approved policy should be treated as a live document to promote continuous updates if and 
when changes occur. An individual must be assigned the responsibility for the maintenance of the 
policy. 


7.2 Communication Management 

The municipality must have documented standards, procedures or guidelines for the 
management/administration of their network. Critical system environment must be restricted from 
the general user environments by implementing virtual private network. Firewalls must be used to 
inspect traffic passing through the network and the firewall logs actively monitored and managed 
in-house. 

Intrusion detection system (IDS) and intrusion prevention system (IPS) must be in use. Security 
systems must be actively monitored and their logs must be not edited. The municipality was using 
Trend Micro & Kaspersky anti-virus software to detect and prevent electronic viruses. 

The municipality must have patch management framework in place. Meaning that their systems 
were vulnerable to compromise. If the municipality allows wireless access it must be appropriately 
controlled or/and managed. 

Dealing with an information breach is not only embarrassing but also has legal implications since 
there are notifications requirements if sensitive employee or customer data is accessed 
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inappropriately or potentially exposed to a breach. The development of a patch management 
strategy is therefore critical for the municipality to: 

• Determine the methods of obtaining patches 

• Specify methods of validating patches 

• Identify vulnerabilities that are applicable to the organization 

• Ensure all patches are tested against known criteria describes a detailed deployment method 
for patches 

• Report on the status of patches deployed across the organization 

• Includes methods of dealing with patch failures 

7.2.1 Wireless 

Wireless is a great technology that offers benefits and requires great responsibility, A responsibility 
that is unfortunately much too often ignored when implementing it. A wireless network needs to be 
properly secured as it poses a number of extremely serious risks and dangers if left wide open and 
exposed, which many users are unaware of such as: 

7.2.2 Bandwidth Parasite 

Where the intruders uses the victim’s broadband connection to get online without paying. This will 
cause any direct harm to the compromised network, but it can slow down internet or network access 
for the victim. 

7.2.3 Masking Criminal Activity 

Where an unauthorized user could abuse the victim’s connection for malicious purposes like 
hacking, launching as DOS attack, or distributing illegal material. 

7.2.4 Free Access to Private Data 

A wireless network is also a direct backdoor into the victim’s private network - literally. Instead of 
intruding from the public side of the gateway device, the intruder connects directly to the network 
on the private side of the gateway device, completely bypassing any hardware firewall between the 
private network and the broadband modem. The intruder can completely take advantage of this by 
snooping around undisturbed and getting access to confidential data. 

It is therefore imperative that Thaba Chweu Local Municipality should develop policies and 
procedures that will govern the security of their wireless. 

7.3 Problem Management 

The municipality must have operational procedures for the management of faults/incidents in the 
use or implementation of ICT services that users, third parties and contractors were aware of. It 
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must also indicate that the documented procedures must address planning and preparation, 
detection, initiation, evaluation containment, eradication, response, recovery, closure post-incident. 

Incidents must be tracked to identify trends and underlying causes of operational failures with the 
view to long term solutions. 

The municipality need to have emergency response process for dealing with serious incidents. The 
process includes: 

• Definition of an emergency situation or incident 

• Detailed description of roles and responsibilities 

• Defined response process allowing critical decision to be made quickly 

• Defined steps to be taken in emergency situations 

• Contact details for all key personnel 

The municipality should enforce good practices in the management of problems/incidents. 
Management should ensure that they harmonise the discord that currently exist between procedures 
and processes. 


7.4 Asset Management 

The municipalities must have internal controls over the management of information assets appeared 
satisfactory. The municipality must keep an asset register, which requisite to be updated regularly 
as and when changes occur. The asset register held important information about each asset such as 
asset owner, asset location, and date of acquisition. 

The municipality should protect the asset register from unauthorized changes by limiting access 
rights. 


7.5 Physical and Security Controls 

To minimize the risks of unauthorised physical access to premises and sensitive areas, the 
municipality should manned reception where visitors need to sign-in with the security guards, 
burglar doors, CCTVs and access cards. Visitors must record their name, time of entry and the 
person being visited. Authorization need to be required before ICT equipment could be take outside 
the municipal premises and a register of all equipment taken offsite and returned must be kept. The 
server room must be equipped with an air conditioner, UPS, smoke detectors, fire suppression 
system and raised floors to protect it from environmental hazards such as flooding, fire and power 
outages. 

The municipality should continue enforcing good practices with regard to physical security and 
environment controls. 
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7.6 System Acquisition, Development and Maintenance 

The municipality should consider developing change procedures manage their change control 
procedures that will ensure only authorized system and/or infrastructure changes are introduced to 
the production environment. The procedures should cover: 

• Identification and recording of significant changes (formal change request form) 

• Formal approval procedure for proposed changes (change control committee) 

• Restricting access to program source to authorized personnel (segregating 
developers/database administrator/use responsibilities) 

• Planning and testing of changes prior implementation (unit testing, interface, user testing, full 
functionality testing, etc) 

• Assessment of potential security impacts 

• Communication of change details to all relevant persons 

• Formulation of a back -out plan(s) prior to effecting a change(s) 

• Importantly that all system software and hardware development and maintenance be subjected 
to quality assurance review. 

7.7 Personnel Security 

The municipality must conduct the personnel security management process. The entity’s personnel 
management process must include the following: 

• Background screening of staff 

• Signing of confidential statements and conditions of employment 

• Termination procedures 

• Background screening of contractors and third parties 

• Development of job descriptions/job profiles for employees 

• Security clearance by NIA for security personnel 

The municipality should follow best practices that will ensure that competent and security 
conscious personnel are appointed. 

7.8 Logical Access 

The municipality needs to documented user account management procedures that cover user access 
at both network and application system level. The procedures need to include the following: 

• Process for requesting new user access and allocation access rights 

• Segregation of access control pole 

• Process for modifying user privileges 

• Process for terminating existing access 

• Regular checks of administrator activities 
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Municipality must enforce good practices and researching new ways of improving security within 
their organization. The municipality should make sure that sign-on mechanism is tighten security 
by making sure the system administrators are forced to use different logging credential when 
performing their administrator functions and normal user responsibilities. The activities of 
administrators should be closely monitored to ensure that the rights are not for unauthorized acts. 

7.9 Business Continuity Management 

The security management of the Municipality should ensure that the information risk assessment is 
conducted to inform the municipality’s business continuity plan and the ICT disaster recovery plan. 

• The starting point should be an understanding of critical business process, 

• Followed by the identification and an inventory of the information assets that support these 
processes. 

• Thirdly, identification of possible security threats against each asset and the impact it might 
have on business. 

• Lastly, the municipality should put together a control mechanism that will minimize the 
impact of the threat should it materialize. 

7.10 Management of the Third Party Relationship 

If the municipality has Outsource IT functions and the outsource relationships must be managed by 
a contract agreement. Contracts contain appropriate clauses with respect to: 

• Adherence to corporate security 

• Adherence to internal control policies and standards for information technology and, 

• Penalties in cases of non-compliance 

The municipality has also developed a process for managing third party service delivery that entails: 

• Regular service reports by the service provider 

• Service level meetings with the service provider and, 

• Assigning the responsibility for service monitoring to a specific individual 

8. GOVERNANCE COMMUNICATIONS AND AWARENESS 

Communications have always been accepted as key to the successful delivery of ICT projects. 
However, the ability to address and balance the priorities within strategic planning intensifies the 
need for communications between institutional management. In addition to consultation on 
strategic requirements there are other techniques that have been found to be enhancing institutional 
awareness and buy-in to strategy: 

• Obtain MACO buy-in and promotion of ICT governance. 

• Use Committees across the municipality to add awareness and create influence. 

• Use Security Officer and compliance function to own and promote ICT governance. 
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• Identify and try to win over management who don’t comply. 

• Provide a portal (intranet) to use for promoting ICT governance information to ease its uses 
and assist in visibility. 

9. GOVERNANCE PERFORMANCE 

Governance allows for the measurement of performance in two areas: 

9.1 Services Performance 

Definitions for ICT service levels, and project progress reporting provide both project and 
operational management and reporting to the ICT steering committee. Service level defined and 
agreed as part of the ICT governance must be actively used for service communications and 
monitoring. A tool must be developed in order to improve reporting in relation to project progress 
and final delivery against objectives. 

9.2 Performance Against Institutional Strategy 

Each Head of Department must gauge how well ICT governance is delivering ICT services that 
meet the core institutional strategic objectives. 

The assessment requires: 

1. The definition of a set of strategic objectives or outcomes. For example cost effectiveness, 
transformation, business improvement or agility 

2. Each member of the management team to assess for their domain 

a. The importance of each of the outcomes 

b. The influence of governance on the success of each of the outcomes 

c. Where and why is governance effective 

d. Where and why is governance less effective? 

10. ICT DECISION MAKING MATRIX 

They state that ICT governance is about who makes decisions while management is about making 
and implementing the decisions. They assert that effective ICT governance will answer three 
questions: 

• What decisions must be made 

• Who should make these decision 

• How are they made and monitored 
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The above framework diagram illustrates the requirements for harmonization of institutional 
strategy and organization with ICT governance arrangements and the institutional performance 
goals. 

The institutional strategy, ICT governance arrangements and performance goals are enacted through 
the ICT organization and desirable behaviours, ICT governance mechanism and performance 
metrics, respectively. 

The adopted ICT governance methodology suggest that there are five interrelated ICT decisions that 
should be considered together with the decision making structure and the following diagrams have 
been adapted from their work illustrate a governance framework: 


Key ICT Governance Decisions 

1 ICT principles 

High-level statement about how ICT is to be used in the institution 

2 ICT architecture decisions 

Organizing logic for data, applications, and 
infrastructure 

These are captured in a set of policies, 
relationships and technical definitions 

They ensure the desired institution and 

3 ICT infrastructure decisions 

Centrally co-ordinated, shared 
ICT services that provide the 
foundation for the enterprise’s 
ICT capability 

5 ICT investment and 

prioritization decisions 

Decisions about how much and 
where to invest in IT, including 
project approvals and justification 
techniques 

4 Institutional applications 
needs 
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technical standards and levels of 
integration are achieved 

Specifying the institutional need 
for purchased or internally 
developed ICT applications 



The institution is required to decide the governance arrangements for each key decision area. The 
harmonizing of each decision making group will significantly affects the decision and outcomes and 
is therefore able to effect strategy alignment. The groups or governance archetypes have been 
categorized as: 


CODE 

Name 

Description 

IT001 

Institutional monarchy 

Municipal Manager and Heads of Department 

IT002 

ICT monarchy 

ICT Steering Committee 

IT003 

User Forum 

User Forum representing users from each Department 

IT004 

System Owners 

System owners and vendors (hardware and software) of technologies 
used in the Municipality 

IT005 

Super Users 

Isolated individual or small decision group 

IT006 

Technology Specialist 

Service Providers, Specialists, Vendors 


These archetypes are used below to illustrate an example governance structure: 


An example of the ICT governance decision making structure 
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11. ICT GOVERNANCE STRUCTURES AND MODELS 

Guiding Principles for ICT 



Guiding Principles: ISO 38500/King III 
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The above diagram depicts all the adopted national and international standards and guidelines for 
the Municipalities ICT governance framework. All the above shall be used in formulating policies, 
rolling out projects and in deploying and controlling ICT services. 
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ICT Supply Chain Risk Management requires contributions and collaboration among many 
disciplines with recognized standards 


ISO/IEC 27005 (Risk 
Management 
Information 
Security) 

ISO/IEC 16085 (Risk 
Management Life 
Cycle Processes) 
ISO/IEC 31000 (Risk 
Management 
Principles and 
Guidelines) 


• ISO/IEC EEE : Systems 

• ISO/IEC 15026 (Systems Assurance) 

• IEEE 1062 (Software Acquisition) 

• Capability Maturity Model Integration / CMMI 
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Development Lifecycle 
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(Programming Language 
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12. POLICIES TO BE ADOPTED AS PART OF ICT GOVERNANCE 

A consolidated information & communication technology usage and security policy will be 
developed and adopted by the Municipality. The Policy shall be guided by the following 

1. Information System Security Policy 

2. Internet Usage Policy 

3. Email Usage Policy 

4. Network Usage Policy 

5. Front End Peripheral Usage Policy 

6. Change Management Policy 

7. Physical Access control and environmental Control Policy 

8. Logical Access Control Policy 
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9. Antivirus and Software Updates Policy 

10. Backup and Restore Policy 

11. Backup Strategy 

12. Network Management & Procedure Policy 

13. Disaster Recovery Policy 

13. ICT GOVERNANCE STRUCTURES 

13.1 ICT Governance Structures 

The following organogram depicts the ICT governance structures for the Municipality. 



13.2 Roles and Responsibility of the ICT Governance Structures 

13.2.1 MANCO 

MANCO (Management Committee) must play an oversight role on ICT projects and activities and 
must also ensure that ICT is budgeted for in their respective departments. 

13.2.2 DCGITOC 

The District Government Information Technology Council shall facilitate co-ordination and sharing 
of ICT services between the Municipality and other role players. 

13.2.3 ICT STEERING COMMITTEE 

The ICT Steering Committee must be responsible for the following: 
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13.2.3.1 LEADEASHIP AND DIRECTION 

Articulate the Municipality’s goal and vision, drive, guide and inspire. It must direct Municipality’s 
strategies and operations with a view to achieving sustainable economic, social and environmental 
performance. 

The Committee is to: 

■ Place IT on the board agenda 

■ Clarify business strategies and objectives, and the role of IT in achieving them 

■ Delegate responsibility for implementing an IT governance framework 

■ Determine and communicate levels of risk tolerance/appetite 

■ Assign accountability for the organizational changes needed for IT to succeed. 

13.2.3.2 MONITOR AND EVALUATE 

The Committee is to: 

■ Ensure that IT is aligned with Municipality’s objectives. 

■ Monitor and evaluate the extent to which IT actually sustains and enhances the company objectives. 

■ Monitor and evaluate the acquisition and appropriate use of technology, process and people 

■ Ensure that an internal control framework has been adopted, implemented and is effective 

■ Use the risk audit committees to assist the board fulfil its responsibilities 

■ Obtain project assurance from independent experts that IT management apply basic elements of 
appropriate project management principles to all IT projects. 

■ Obtain independent assurance of the governance and controls supporting outsourced services. 

■ Monitor the application of King III governance principles by all parties, at all levels (starting with 
the Committee), at all stages of business operations, across organizational boundaries (including third 
parties) and for the acquisition and disposal of IT goods and services. 

13.2.3.3 IT Reporting to the MANCO 

Management should increase transparency and provide the board with complete, timely, relevant, 
accurate and accessible information about: 

■ The likelihood of IT achieving its objectives? 

■ IT’s resilience to learn and adapt? 

■ The judicious management of the inherent risks from using IT, including disaster recovery? 

■ How well IT has recognized opportunities and acted on them. 

The Committee should take steps to ensure that resources are in place to ensure that comprehensive 
IT reporting is in place both to the board by management and by the board in integrated report. 
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14. THE ROLE AND RESPONSIBILITIES: CHIEF INFORMATION OFFICERS 

The Municipality is appointing a suitably qualified and experienced individual as the chief 
information officer who is expected to: 

• Interact regularly on matters if IT governance with the board, or appropriate board committee, 
or both understand the accountability and responsibility of IT. 

• Implement an IT Governance framework to deliver value and manage risk. 

• Implement an Accountability framework to assign decision-making rights. 

• Implement a suitable organizational structure and define terms of reference. 

• Incorporate IT into the business processes in a secure, sustainable manner. 

• Implement an ethical IT governance and management culture. 

• Implement an IT control framework. 

• Obtain assurance on the effectiveness of the IT control framework. 

• Implement processes to ensure that reporting to the board is complete, timely, relevant, 
accurate and accessible. 

• Implement a strategic IT planning process that is integrated with the business strategy 
development process. 

• Integrate IT plans with the business plans. 

• Define, maintain and validate the IT value proposition. 

• Align IT activities with environmental sustainability objectives. 

• Include relevant representation from the business in oversight structures. 

• Have regard for the legislative requirements that apply to IT. 

• Translate business requirements into efficient IT solutions 

• Support the business and governance requirements in a timely and accurate manner through 
the acquisition of people, process and technology. 

• Optimize resource resources usage, leverage knowledge. 

• Ensure that the business value proposition is proportional to the level of investment. 

• Deliver the expected return from IT investment 

• Protect information and intellectual property 

• Promotes sharing and re-use of IT assets. 

• Monitor and enforce good governance principles across all parties in the chain from supply of 
disposal of IT services and goods. 

• Obtain independent assurance and outsourced service providers have applied the principles of 
IT governance. 

• Obtain independent assurance of the effectiveness of the IT controls framework implemented 
by services providers. 

• Obtain independent assurance that the basic elements of appropriate project management 
principles are applied to all IT projects. 

• Regularly demonstrate to the board that the company has adequate business resilience 
arrangements in the event of a disaster affecting IT. 

• Implement a risk management process based on the boards risk appetite. 

• Select and use an appropriate framework for managing risk (e.g. COSO) 

• Comply with applicable laws and regulations. 

Author: Sbusiso Langa Review: ICT Committee Approve: [Manager] 


File Name: ThabaPolJCT Governance Framework_vl.lpdf | 


Page 18 






Date: 

INFORMATION & COMMUNICATION TECHNOLOGY 

Version 1.1 


Author: Sbusiso Langa 
Review: ICT Committee 
Approved: [Manager] 


Thabachweu Local Municipality 


• Implement an IT controls framework. 

• Manage information assets effectively. 

• Implement an information security management system in accordance with an appropriate 
information security framework. 

• Provide the Audit and Risk Committees with relevant information about IT risks and the 
controls in place. 

• Measure, manage and communicate IT performance. 

• Report to the IT Steering Committee on IT performance. 

15. THE ROLE AND RESPONSIBILITY OF A SECURITY OFFICER 

The Municipality must appoint a Security Officer who will support the head of the institution or the 
CITO by performing the informally delegated responsibilities in respect of IT security. The head of 
the institution should formally delegate these responsibilities to the security officer, which should at 
least include the following: 

• Develop and maintain an IT security policy, as well as security procedures and standards for 
the operating unit and provide guidance consistent with the municipality’s requirements and 
the specifications of the MISS. 

• Conduct reviews of all systems to ensure that effective IT security policies are in place for 
each system and include the following: 

■ Risk assessments 

■ Current and effective IT security plans that are integrated into all stages of the system life cycle 

■ Annual system assessments 

■ Current and tested contingency plans 

■ Current certification and accreditation 

• Conduct annual assessments of the operating unit’s IT security programme to confirm the 
effective implementation of and compliance with established policies and procedures. 

• Establish a process for tracking remedial actions to mitigate risks in accordance with the 
institution’s standard for plans of action and milestones. 

• Maintain the IT system inventory in accordance with the institution’s standard for inventory 
management. 

• Establish a process for ensuring that all users (such as the IT security officer, system 
administrators, contracted staff, technical representatives) are periodically briefed about IT 
security awareness and receive copies of rules of behaviour, as well as training to enable them 
to fulfill their IT security responsibilities and understand the consequences of non- 
compliance. 
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• Act as the operating unit’s central point of contract for all incidents, develop procedures for 
dealing with incidents and report all incidents to the incident response function. 

• Participate as a voting member in the institution’s IT security coordinating committee (SCC), 
as well as in special committees under the IT SCC and provide other support to the IT SCC as 
required. 

• Cooperate with the institution’s accounting officer and the CIO on IT security matters 
(concerning incidents, potential threats and other concerns). 

• Ensure that system owners establish processes to ensure that: 

■ IT personnel receive specialized training 

■ Access privileges are revoked in a timely manner (e.g. after transfer, resignation, retirement, change 
of job description, etc.). In the case of individuals who are separated for adverse reasons, such 
privileges should be revoked immediately upon, or just prior to notification of the impending action. 

• Serve as certification agent for system within his/her operating unit (except in the case of 
system for which the IT security officer is also the system owner, or moderate and high- 
impact systems for which the IT security officer is also the IS security officer). 

• Establish a process for identifying, tracking and reporting on security patch management. 

• Establish a chain of custody that documents the name, title, and office and telephone number 
of each individual who has sequential possession of system’s hard drive when it is removed 
due to compromise and might be subjected to forensic examination as evidence in potential 
prosecutions. 

• Ensure that cryptography is used for the transmission of classified information that impacts 
national security, in accordance with the institution’s security. 

• Ensure that IT security is addressed in the development and acquisition of information 
systems and security-related products and services by: 

■ Following methodology for security considerations in the information system development life 
cycle. 

■ Working with system owners to determine the information type and system impact levels and the 
control baseline for the protections of the system and its data. 

■ Working with system owners to ensure the integration of the system security configuration into the 
security architecture, which in turn is integrated into the institution’s overarching IT enterprise 
architecture. 

• Ensure that network and system warning banners communicate that there is no expectation of 
privacy in the authorized or unauthorized use of IT system. 
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• Ensure that the institution’s policies and practices allow for the following account 
management controls: 

■ Creation of accounts based on formal requests and authorization by the users’ supervisors. 

■ Identification and documentation of user accounts with appropriate access levels/account 
permissions 

■ Account termination 

■ Periodic status review of all currently open accounts on all systems through the auditing (review) of 
user accounts (employee, contractor and guest accounts) 

• Administer access control software. 

• Review access rights on a regular basis to ensure compliance with the data security policies 
and procedures. 

• Monitor security and investigate security violation attempts. 

16. INTERNAL AUDIT 

16.1 ICT Institutional Alignment 

ICT must be taken as a strategic support function of the Municipality and should be located under 
the office of the Municipal Manager as recommended by the King III( Corporate codes of 
Governance) report on corporate governance. 
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What is ISO 27001? 

ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security 
management system (ISMS). An ISMS is a framework of policies and procedures that includes all 
legal, physical and technical controls involved in an organisation's information risk management 
processes. 

According to its documentation, ISO 27001 was developed to "provide a model for establishing, 
implementing, operating, monitoring, reviewing, maintaining and improving an information 
security management system." 

ISO 27001 uses a topdown, risk-based approach and is technology-neutral. The specification 
defines a six-part planning process: 

1. Define a security policy. 

2. Define the scope of the ISMS. 

3. Conduct a risk assessment. 

4. Manage identified risks. 

5. Select control objectives and controls to be implemented. 

6. Prepare a statement of applicability. 

The specification includes details for documentation, management responsibility, internal audits, 
continual improvement, and corrective and preventive action. The standard requires cooperation 
among all sections of an organisation. 

The 27001 standard does not mandate specific information security controls, but it provides a 
checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 
27002:2005. This second standard describes a comprehensive set of information security control 
objectives and a set of generally accepted good practice security controls. 

ISO 27002 contains 12 main sections: 

1. Risk assessment 

2. Security policy 

3. Organization of information security 

4. Asset management 

5. Human resources security 

6. Physical and environmental security 

7. Communications and operations management 

8. Access control 

9. Information systems acquisition, development and maintenance 

10. Information security incident management 

11. Business continuity management 

12. Compliance 
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Organisations are required to apply these controls appropriately in line with their specific risks. 
Third-party accredited certification is recommended for ISO 27001 conformances. 

Other standards being developed in the 27000 family are: 

• 27003 - Implementation guidance. 

• 27004 - An information security management measurement standard suggesting metrics to 
help improve the effectiveness of ISMS. 

• 27005 - An information security risk management standard. (Published in 2008) 

• 27006 - A guide to the certification or registration process for accredited ISMS certification 
or registration bodies. (Published in 2007) 

• 27007 - ISMS auditing guideline 
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